Once Again, Security Company Suggests Microsoft Making Its Own Software Secure Is An Antitrust Violation

from the rock-and-a-hard-place dept

For many years, we've pointed out that Microsoft is in a bit of a rock and a hard place when it comes to security software. The company more or less created an entire outside industry in having its software be so incredibly insecure that various other firms had to step up to secure it. But, that puts Microsoft in a really tough position. Does it fix its own security flaws... or is doing so a way to abuse its market position to put the security firms out of business? It's hard to see how that latter position makes much sense to anyone other than those who work for the security companies, but they continue to make those claims. The latest is from Trend Micro, who is complaining that Microsoft Security Essentials (MSE) is an antitrust violation. The article linked here notes that this is even more ridiculous than you might expect, in that MSE is an optional download. Either way, it seems like a pretty huge stretch to claim that fixing your own security holes could possibly be an antitrust violation. The real problem may be that Trend Micro jumped into a business that relied on another company continuing to suck.

Re:

Trend Micro is trending down.

Trend Micro is wasting time and money with that claim unless TM can show collusion between MS and one of TM's competitors, such as Symantech. Acting alone, MS can do security. TM will go down in flames on that case unless they have proof of collusion. TM might look to Avast! for a better business model, rather than taking a flyer on a longshot litigation like this. This nowhere close to the powerful antitrust claim MS beat on IE. Trend Micro is trending down toward becoming an insignificant micro-business.

MSE is the Ford Fiesta of AV

It does a reasonably good job for what you pay for it but there are better options available for those who are willing to pay more. I used to use AVG Free on my non business related systems but it got a little bloated and intrusive, so I switched to MSE. I've always kept ClamAV installed with a scheduled scan as a secondary measure.

Professorially, the big problem with MSE is that it really isn't manageable. I suppose that a small company with a hig risk tolerance would be OK with MSE but most businesses, organizations, & government agencies need something more. Even Microsoft competes with MSE, with their Forefront client security product.

The bottom line is that if you can't make an AV product that is better than MSE, you are getting what you deserve if folks aren't buying it.

M$ inherently has inside info that gives it unfair advantage.

If M$ wants to promote security, they can do it from the direction that they *utterly* control: the original code. If they were competent at writing an OS -- instead of attempting the accessories and thereby leveraging against other companies -- then they actually *could* cut out most security programs in a legal way. But, being M$, they profit from their flaws, and being M$ partners means profiting in the ecosystem that thrives on those flaws, and being M$ customers means a slavish acceptance that M$ is the only *possible* choice.

Anti-trust to reduce a monopoly -- even if it were "natural" -- is entirely a good purpose in line with historical use. The world basically is held hostage to M$'s stupidity besides cupidity, and if a really good virus is written, it could bring the whole house of cards down. It's too much risk to place on a company with M$'s history of unethical competition.

Re: M$ inherently has inside info that gives it unfair advantage.

It sounds like you are saying that if Microsoft wrote software without bugs that we wouldn't need antivirus software. That could not be any more wrong. The reason there are no viruses for Apple computers is because not that many people use them comparatively speaking. Apple OS is full of just as many bugs/security issues as Windows, it's just that no one bothers to exploit them because the impact isn't great enough. Antivirus software will always be necessary no matter if the OS is bug free or not.

Re: Re: M$ inherently has inside info that gives it unfair advantage.

That was a really terrible argument. A) who said anything about Apple or any other OS? B) No, if your OS has no bugs/security holes it cannot be exploited. C) If your OS cannot be exploited (completely impossible but for the sake of argument...) it does not need anti-virus software.

Re: M$ inherently has inside info that gives it unfair advantage.

I agree with you.

M$ shouldn't be making security software. They should make secure software.

I am not talking about the idiots that will click on anything, either. I am talking about the drive-by downloads that still happen in IE8, (That was supposed to stop being possible in IE7,) and the fake AV that invaded a Vista computer though M$ Outlook. XP was supposedly the safe OS. Then Vista was supposedly the Security First software. I haven't heard any nightmare stories on Win7, yet... (Except the nightmare of trying to administer it. I can't make heads or tails out of Vista or 7. Yuck! No fun at all!)

I asked this question almost a decade ago. Win2K had some security flaws. Supposedly, XP was more secure, but it was like 7 times the size. Then Vista came out and it was like 9 times the size of that. Now Windows 7 is still bigger, (but not quite as drastically, I don't think.) My question is this:

If a million lines of code has a thousand potential exploits in it, how can 7 million lines of code have less?

More code cannot give you less potential exploits. It isn't logical. It is way past time to de-bloat the OS.

Mike, I have to disagree, this is an antitrust violation

If Micro$oft were publishing fixes and system patches to correct the flaws, I'd be fine with that.
But here they intentionnally don't fix it and push their antivirus solution. So this is unfair competition

Re: Mike, I have to disagree, this is an antitrust violation

You're kidding, right? They "intentionnally [sic] don't fix it and push their antivirus solution"? Nowe, if Microsoft (a) Prevented other AV solutions from working and (b) if they CHARGED for MSE, that argument may have a shred of validity, but MSE is free... there are plenty of people out there who don't want a do-all, end-all security suite, so they opt for the free software. And, by the way, is AVG or Panda ALSO guilty of antitrust, since they, too, provide free solutions (AVG Free and Panda Cloud Antivirus)? Anybody? Anybody? Buehler?

Re: Re: Mike, I have to disagree, this is an antitrust violation

"You're kidding, right? They "intentionnally [sic] don't fix it and push their antivirus solution"? Nowe, if Microsoft (a) Prevented other AV solutions from working and (b) if they CHARGED for MSE, that argument may have a shred of validity, but MSE is free... there are plenty of people out there who don't want a do-all, end-all security suite, so they opt for the free software."

(a) They have an advantage because they know the inherent code, whereas AV vendors don't.
(b) Are you sure MSE will always be free?

Re: Re: Re: Mike, I have to disagree, this is an antitrust violation

C) Micro$oft were publishes fixes and system patches to correct flaws on a regular basis (at LEAST monthly)
D) Anti-Virus Software has very little to do with system patches and more to do with ID10T & PEBCAK issues in a modern environment. (IE the moron that does not UPDATE their software on a regular basis)

Horse Manure!

Alatar, that's total horse manure. You think they're ACTIVELY NOT fixing fundamental flaws discovered in their OS and instead address them with MSE? That makes no sense. If that were the case then Trend's solution would be just as capable of doing the same, so MS would be letting ALL BIDDERS (including Trend) solve their problems for them.

I'm lost...

This isn't about "Does it fix its own security flaws... or is doing so a way to abuse its market position to put the security firms out of business?"

Do people honestly believe that the reason Windows is more vulnerable to viruses is because MS's product is or was fundamentally insecure? (OK OK, Internet Explorer was a pretty big open door for a long time) - No, it's because most people use Windows and it has the largest exposure!

It's about MS making a great anti-virus / anti-malware program and Trend can't stand that their customers are dwindling.

Before I started using MSE I did a lot of research... I wanted a native 64-bit app that had a small memory and CPU footprint and that had exceptionally good virus / malware interception capabilities with few false positives. In the studies I found, MSE met or exceeded every one of my requirements.

Why, then, would I pay for a Trend Micro solution? Let's imagine MS is out of the picture for now and MSE isn't available to me for free (or for pay) - I STILL don't choose Trend's AV product / suite because it's simply not as good as other products out there (even the free ones)

I just realized this post makes me sound like a huge MS fanboy and I have to tell you that is FAR from the truth. I just don't have much patience for Trend Micro and the like with their shitty, overpriced products that slow your machine down to a crawl and no-one in their right mind (after doing even modest research) would actually go buy.

Re: I'm lost...

You have several interesting & valid points, the plain fact of the matter is that in between the market manipulation and the anti-trust issues there is some genuine innovation that happens at Microsoft; Surface and the F# language are two examples. But when you come from a Unix/Linux background to the Microsoft world, and examine Windows and the like under the covers, some very strange architectural choices come to light, and many of those strange choices are in the security layer of the file system, as a negative example. NTFS has a very complicated and cryptic file protection scheme compared to permissions on a Unix file system. They've made some pretty frankly strange decisions in that arena and that cuts right to the heart of the matter. Also, in making their systems easy to use the decision default " on " all services and subsystems was a pretty bad one. Each and every service on a windows PC is a possible attack vector for malicious 'sploiter to 'sploit. Linux certainly has its own share of problems, the X display system is full of security concerns, for their bad example. But basic security is part of the Unix family, not an afterthought or a "feature".

Re: Wow

Now if only they would de-bloat it. Patching is good, but rewriting would be much better.

Every good or bad idea that has ever come across the user experience has been integrated into Windows. Windows needs to take programs out of the kernel. The kernel should be impenetrable, so the OS isn't so easily corruptible. Root kits should not be possible!

The anti trust nonsense that occurred in Europe wasn't about M$ giving away a free browser, but that the browser was integrated into the kernel and could not be uninstalled. Give away all the crap you want, just don't incorporate it into the kernel so it cannot be removed, and be so easily exploited.

Give me a break

This comes from an IT Director that had Trend OfficeScan on a network of over 230 workstations and found that Microsoft Security Essentials did a better job than Trend in keeping malware off of the systems.

When we switched from McAfee 8.5 to Trend Micro's OfficeScan 10(?) we had a huge influx of systems infected with malware through drive-by installations such as the AntiVirus 2008-2010 bug. That bug was so tough that Malwarebytes wasn't able to remove it 90% of the time and because of this we re-formatted 100% of systems that came in that way.

When I worked for the state, they were using Trend and it worked very well, but Trend has gotten extremely complacent. Their AV was extremely heavy, slowed systems down a lot, and even though it seemed to be scanning heavily, it wouldn't do an on the fly deletion of most drive-by bugs. It'd let them get to the temp folders and then sent out an email stating "Trend couldn't remove or quarantine X bug from C:\blahblahblah". What good is your crappy ass antivirus product then???

Why should I pay over $4500 for a yearly license when your product doesn't stop squat!?

MSE at least seems to be a decent on-demand virus scanner and according to AV-Comparatives was better than Trend Micro
, catching 96.3% of bugs vs Trend's 90.7% and it's FREE!!!

Trend Micro's product also had the highest incidence of false positives out of a test set of 1.2 million malware sample. Trend dinged 38 false positives vs MSSE at 3... THREE! Rhymes with FREE!!!

You wonder why Trend is losing out to MSE...??? Really? You have to ask?

AV Comparatives has four ratings: Advanced+, Advanced, Standard, and TESTED. MSE received the Advanced rating compared to Trend which only received a TESTED rating.

Hrm...

This reminds me of when Norton and others (I think Trend was one of them) were suing Microsoft over in Europe for Microsoft to put the security holes back into Windows Vista that Microsoft used to have in XP.

Obviously, that didn't go far.

Heck, I don't even know if Microsoft markets Security Essentials beyond their own website. I was pretty surprised that the CNET rating was rather positive on the product, especially on a product that Microsoft put out only because people kept demanding it.

Ironically, Trend Micro trials are often found on newly purchased PCs - and Security Essentials has to be downloaded and installed. Too bad Trend Micro didn't pay attention to what happened to Norton, because now they're in the same shoes as Norton was a few years ago (losing market share as their program became bloated and not as effective).

AV Software

All programs have security issues. Not all of them are fixed or knowable to fix right away. Hackers will eventually get into any large system through the various holes. They will leave a virus. Antivirus software cleans up the virus when the signature is known. It is the last line of defense against a virus before reformat.

Also, who cares if Microsoft has better knowledge of their own systems? If you are not allowed to build something because you know what others, what are you allowed to build?

Any improvement in the OS could be blocked by such a flimsy argument. Remember, an OS includes programs in it.

Good points but....

I can't speak to 7 or Vista (which I have limited experience with) but, I can speak to XP, 2000. The encrypted file system works, but, only if you deliberately encrypt a file. Any Linux live CD or UBCD4 Windows can cut right through the security of any file that is not deliberately encrypted and password protected.

And I agree that no piece of software is absolutely secure, nor can it be. But, there seems to have been a deliberate calculated decision to leave the security holes open and to plug them after the OS goes to market. Microsoft products have been left vulnerable for many other explanations to make sense. Yes, no software can be made un-exploitable, but, the shear quantity of exploits against Microsoft software leads one to think that the beta testing for security has been somewhat lax.

Further, I'd point out that most of the world's web servers run some flavor of Linux using Apache, and there has been relatively few exploits against these systems. Some yes. But, RELATIVELY few.

I think Microsoft's biggest problems (historically speaking) are a) sloppy coding and b) as MikeLinPA pointed out, software bloat. Trying to do to much without taking time to look for security holes will always render software vulnerable.

Security process for Windows: Download file--->possibly popup asking for admin access--->File is downloaded computer is infected. This is as complicated as it gets.

Security permissions for Linux: Download file--->Change file to allow executable--->Change permissions on file to root---> Sudo/$/Root--->run the file---> some small tiny area of your computer is infected...maybe...if a patch hasn't already come out in the 2 days since it was found to completely nullify it.

Mac Security process: Buy Virus because Steve Jobs said so. Install Virus...Call it OS something and name it after a large cat. Automatically deduct from checking into Steve Jobs checking.

Ah, but here is the argument.....

Microsoft is NOT making their software secure, but rather covering up or trying to patch design deficiencies (some of which come from Microsoft's "Run Anything on our OS!" point of view) with their OWN offering.

There is some argument to say that since Microsoft knows where the holes are AND has the source code, they are better able than say.... Symantec to be able to offer solutions that use less memory and CPU power.

Actually MSE is a very clever corporate strategy, what better way to improve your security product that ot throw it out ot the unwashed masses to use, collect the data then profit. Having said that, the time will come when a version of windows designed from the ground up as a "default deny" kernel will in fact be secure. We may even see it by 2020.